Small Business Security Issues (Research Project) Small companies have a gamete of security problems or issues in today s

Transcription

1 Small Business Security Issues (Research Project) Introduction Small companies have a gamete of security problems or issues in today s competitive market place including vulnerabilities, threats, and risks. Although there are new technologies on the market to help reduce the security issues to a minimum or tolerated level of exposure, most small companies are limited in resources including security personnel and monies to purchase acceptable software and or hardware to properly address these concerns. The biggest concern is that in most shops there is not a strong consensus to develop an IT infrastructure as IT projects are expensive and have a history of failure due to improperly managed projects so generally management is reluctant to spend dollars in developing IT projects even at the cost of operating less than automation normally requires. Most companies tend to avoid costly projects due to the constraints of cost, time, and scope. This fact alone leaves the doors open to hackers, social engineers, and malicious software programs both online and in the office. Now let us take a look into exactly what kinds of security issues affect small companies. Social engineering is probably the most common type of threat to small companies as employees are friendlier with the public at this level of business operation. Key information is usually the competitive edge for the survival of most organizations

2 of this size and is the main reasons that they are reluctant to develop teams with other companies in the same field of interest. Information sharing is vital to building effective teams but due to the limited successes and narrow scope of these organizations they shy away from the more lucrative opportunities that await them in contracting with larger organizations. Leaving many shops isolated and prime targets for attacks of would be hackers, threats, risks, and vulnerabilities already resolved by the larger organizations that are more automated. According to the Business Journal of Silicone Valley/San Jose on SBC s internet article it states that Small companies lack the resources and the expertise to hire their own information technology staff, says Terry Williams, associate director for security services at SBC. 1 Small Business Security Threats A threat is defined as any circumstance or event that has potential to cause harm to a system in the form of destruction, disclosure, modification of data and/or denial of service. Natural disasters such as hurricane, earth quake, lightning, tornadoes, and some unnatural disasters like faulty wirings, unpaid light bills, unchallenged visitors, computer viruses, Trojan horses, or worms could shut down and offset many small business operations. Remember most small businesses are moving to the home as a cheaper operational front and are exposed to the same elements that the homes in general are exposed to on a daily basis. For consideration any and all of the above are more likely and

3 inevitable to occur in a home environment than a protected automated environment. Let us now examine stakeholders and their roles in security. Generally stakeholders are everyone that has an interest in the success or failure of the proposed or ongoing enterprise. Yes, you heard correctly there are actually people interested in the failure of your enterprise and would gladly assist in some way either direct or indirect to bring about the demise of your operation in way of some benefit to them whether tangible on intangible. Some of these parties could be personal enemies which use to be friends, business competitors, or someone who has an interest to take over your shop. They could launch malicious software attacks against you, send Trojans to your machines, or even send friends (of theirs) to your shop to social engineer passwords and compromise the integrity of your data. There is even spy-ware on the market that can copy your keystrokes as you type for maximum intrusion into information that is vital to your success or failure. The cost to prevent these types of intrusions can be in the thousands of dollars including hardware and software applications. However, with up to date operating systems and machinery the expense to bring this number to an accepted figure is well within reach. Jacksonville s Business Journal states that Blended threats represent the worst risk to computer security since the inception of computer viruses more than 20 years ago. Like the recent Blaster and Slammer worms, blended threats combine the most harmful characteristics of worms, viruses, Trojan horses and malicious code to exploit existing computer and Internet vulnerabilities. 3 Experience is really the best teacher to aid in the ever growing need of protection against threats. The context

4 of such threats can become so vague that an effective security plan would become a waste of time. We would have to minimize the content of which a threat exists or more plainly narrow our focus as it would be impossible to become threat-proof, however, we can set an environment that would deter the main threats most common to businesses on a day to day basis. Small Business Vulnerabilities Vulnerabilities can be defined as a weakness in security procedures, system design, implementation, internal controls, and so on that could be exploited to violate system security policy. Vulnerabilities are more system orientated than threats but none the less can be even more potent in nature. Most security personnel are expensive and professional security plans require experience as the plan is only as good as it is configured by the security administrator. However, in a small business environment where most times the main focus in on survival of the company often adequate security planning is discarded and the business owner places little or no value on an efficient security plan unless faced with a situation that will not just go away. The security professional may find it difficult to break through this market due to limited funds and resources as the main constraint. Enviably outdated hardware and software may have attributes in them which could be or lead to such vulnerabilities as buffer overflows or weaknesses in security due to computer maintenance attendees or other unwarranted personnel. The main vulnerability in small businesses today are

5 their internet connection as the internet grows with various business applications so does the dependency on the net grow in terms of automated business operation. Historically most business internet connections were dial up connections which were difficult but not impossible for hackers to intercept addresses collected to sites visited due to the nature of most dial up connections. With a dial up connection every time that you would connect to the internet the addressing would be random and someone trying to trace your activities would be somewhat at a loss. Today businesses use broadband base connectivity to the net based on its faster and more efficient access to business activities over the internet. However, with broadband services addressing is stored in your browser long than it is with a dial up connection leaving the user in most cases exposed to potential attacks from would be attackers just waiting for an opening or vulnerability to exploit. New York s Business Review states that Increasingly, companies are using the Internet to expand their markets. Recent media reports demonstrate the importance of effective corporate computer network security in today's interconnected and networked business environment. While these connections make information and computer resources readily available for enhanced business activities, they also potentially expose a company's computers and business information to sabotage and misuse. 2 Once again although there are software and hardware applications available to minimize these vulnerabilities most small companies do not have the proper trained staff on hand to properly assess the situation to advise business owners, managers, and administrators to effectively approach a solution which involves

6 implementing a professional security plan for the office IT infrastructure, hence the office is still at the mercy of would be attackers based on their vulnerabilities to the use of in house internet business applications. New York s Business Review also states that To implement a sound security procedure and policy, your first analysis should focus on identifying the vulnerability of your network security to either intentional or unintentional external/internal interference. 2 Small Business Security Risks Risk is defined as the probability that a particular threat will exploit a particular vulnerability of the system. In small business this system would be their information systems including all databases and internet access points. Some common risks in the small business sector would include: wireless communications, wireless and virtual networks, attackers using surveillance or probing techniques, and poorly developed or tested computer programs Cyberspace presents unique challenges to risk managers for several reasons, the foremost being that there is no standard risk profile. Albany s Business Review states that The wide variety of Internet-related businesses, such as Internet service providers, content aggregators, certification authorizers, online merchants and software developers, all contribute to the impossibility of developing a single risk profile. 4 The main purpose of risk management is to reduce risks to an acceptable level and not for a firm to become risk proof. We

7 can only hope to identify potential risks according to our risk analysis done in accordance to known threats and vulnerabilities. We have to set priorities according the value of assets to be protected and assigning values to potential threats. The previously mentioned risk analysis is valued for quantifying the impact of potential attacks or threats. There are also several risk elements to consider mainly the exposure factor, single loss expectancy, annualized rate of occurrence, and annualized loss expectancy. These factors help measure the expectant loss of and exposure of an organization to various risks. The factors can also be assigned numerical values and looked at quantitatively or given a scenario description for a qualitative approach to risk analysis. This process may seem a bit overly involved but the value of protecting your information is priceless. The Boston Business Journal puts it plainly by stating Securing your organization's proprietary information and systems is of paramount importance in a competitive business environment. Computer systems and technologies, although a necessity in today's fast-paced business world, also offer competitors and criminals access to your information if you are not properly protected. 7 Although both qualitative and quantitative methods can become extensive projects within themselves in the small business arena one can emphasize the crucial systems to analyze and prepare policies base on those systems first. Eventually moving to lower systems until full fledge security controls are updated throughout the entire information system of the company. In this way critical resources are conserved for the day to day business operation of the enterprise.

8 Security Solutions for Small Business We have now examined the threats, vulnerabilities, and risks in the small business arena and the reasons why most small businesses do not have in place good security policies for their systems. One may have become somewhat disorientated to conducting business in the small business context but the common denominator to all of the security issues is the absence of a sound security policy to facilitate good business practices leading to a more secure business environment. Teaming with larger firms may be a way to share resources including security tips gain from such a union. Houston s Business Journal states that Executives and IT managers of small and medium-sized businesses are looking to their Internet service providers for help in preparing for and preventing unexpected security and IT threats. 5 The first thing to do is plan a strategy according to the security analysis of your business environment or context were an effective written security plan may be formulated. The scope definitions of the business operation should include security as an element of the work break down structure (WBS). Just as good scope definitions up front lead to a successful business venture also a sound focused security policy leads to successful security controls. A good well written security plan including the element of sound security practices can well out do all the elaborate technological gadgetry on the market concerning fancy firewalls which cannot withstand the simplest encrypted computer attacks. This fact alone will save resources that are so scarce in small businesses today. Most times the latest

9 technology is not always the cure in system security. However, managing who has access to your system security on the physical, virtual, and information levels are primary to controlling a context in which we can provide adequate protections to our key systems. Good security policies consist of procedures, guidelines, regulations, and standards which are the main elements of the security policy similar to the WBS s main elements are the levels of work that will be completed in project management. There are also policy types that are distinct from procedures, standards, and guidelines. We should be familiar with these types as to define what context or scope that our policy should take considering the scare resources available in the small business sector. Firstly there is a senior management statement of policy, a high level statement which reflects the importance of computer resources to the scope of the business, support for security services rendered to information systems, and a commitment to authorize and manage lower level security policies. Secondarily, there are general organization policies which include regulatory, advisory, and informative policies. Finally, the rest of the hierarchy structure contains functional policies, mandatory standards within the contextual security boundary, recommended guidelines, and detailed procedures. Now since we have defined security policies there is now a base in place for sound security implementation. This does not mean using vital company resources to launch an over budgeted security project that the company cannot afford. As budgets for security in the small business sector will limit spending so you will have to prioritize or focus on critical systems first. However, now we have a context to configure significantly the security

10 needs of the firm with management taking the lead roles in making a high level statement to show the commitment to security from the ownership or top down implementation no matter how cash strapped the company may be. Although security issues are everyone s concern and the employees should be empowered to take security initiatives the key passwords and administrative permissions should only be assigned to select personnel of the organization. With the proper policies, enforcements and consistencies done across the board even small business can take advantage of security controls and implement effective protection against would be attackers that would normally comprise the unsuspecting enterprise. The Business Courier of Cincinnati states that Additionally, many organizations fail to realize that the majority of information security threats come from those who work for the organization or have extensive knowledge of the internal network. 6 The emphasis on physical security plays an important role in your overall security policies, controls and planning. Awareness programs, incentives to implement sound practices, and training on security issues will lead to a better environment for business owners and security professionals alike as they work hand in hand for a better tomorrow.

11 Website References and Footnotes 1 Business Journal of Silicone Valley/San Jose, Website, 3 Jacksonville s Business Journal, Website, 2 New York s Business Review, Website, 4 Albany s Business Review, Website, 7 Boston Business Journal, Website, 5 Houston s Business Journal, Website, 6 Business Courier of Cincinnati, Website,